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Abstract 

OO . Many papers proved the security of quantum key distribution (QKD) system, in the asymptotic 

I framework. The degree of the security has not been discussed in the finite coding-length frame- 

' work, sufficiently. However, to guarantee any implemented QKD system requires, it is needed to 

■ evaluate a protocol with a finite coding-length. For this purpose, we derive a tight upper bound 

', of the eavesdropper's information. This bound is better than existing bounds. We also obtain the 



o 
o 



o 



X 



exponential rate of the eavesdropper's information. Further, we approximate our bound by using 
the normal distribution. 
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I. INTRODUCTION 

Quantum key distribution (QKD) was proposed by Bennett & Brassard proto- 
col (BB84 protocol) sharing secret keys by using quantum communication channel. Their 
original protocol assumes a noiseless quantum channel, but any quantum channel has noise 
in the realistic case. Hence, the security of the BB84 protocol in this realistic case had 
been an open problem for a long time, and has been proved by Mayers 0]. He showed that 
the protocol becomes secure when the protocol is constructed by combining classical error 
correction and randomly choosing a code for privacy amplification. In his proof, the secure 
generation key rate is 1 — h{2p) — h{p) where p is the qubit error rate and h{p) is the binary 
entropy —plogp — (1 —p) log(l — p) and the base of the logarithm is 2. He also gave a bound 
of Eve's information for a finite length code. His discussion was extended to a more realistic 

After Mayers' proof, Shor & Preskill [4 proved the security based on the method 
of Calderbank-Shor-Steane (CSS) codes Then, they proved the existence of code 

achieving the secure generation key rate 1 — 2h{2p) and pointed the possibility of the se- 
cure generation key rate 1 — 2h{p). After their discussion, treating the reliability of CSS 
codes, Hamada^l showed the existence of the code attaining the secure generation key rate 
l — 2h{p). He also derived a bound of Eve's information for a finite length code, which yields 
the asymptotic secure generation key rate l — 2h{p). However, they did not discuss the com- 
plexity of the encoding and decoding , while the complexity of privacy amplification is 
not so large in Mayers proof 1 21. 

n 

Followin g^ th ese researches, Christandl, Renner, & Ekert j8j, Renner, Gisin, & Kraus j9[, 
and Koashi showed that the asymptotic secure generation key rate 1 — 2h{p) is attained 
when the protocol is constructed by combining classical error correction and randomly choos- 
ing. However, they did not give the bound of Eve's information of the finite-length code, 
explicitly. S. Watanabe, R. Matsumoto & Uyematsu [ll] considered Eve's information for 
a finite length code based on random privacy amplification, which yields the asymptotic 
secure generation key rate 1 — 2h{p). 

On the other hand, Stucki et al. VM demonstrated quantum key distribution over 67 km 

n 

between Geneva and Lausanne. Kimura et al. succeeded 150 km QKD transmission 
with the error rate 8 - 9 %. Also Cobby et al. [14] did 122 km QKD transmission with 
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the error rate 8.9 %. Tanaka et al [l5| demonstrated a continuous quantum key distribution 
over 16.3 km commercial use fiber with 14 days, and Yuan & Shields [16[ did it over 20.3 km 
installed telecom fiber with 19 hours. In these experiments, they succeeded in realizing the 
real system that could become truly secure if the coding system with infinite coding-length. 
Hence, there is no implemented system whose security is guaranteed. Thus, it is required to 
realize the error correcting code and the privacy amplification for guaranteeing the security 
of the implemented QKD system. 

However, the required sizes of the error correcting code and the random privacy amplifi- 
cation are not clarified for a given quantum bit error rate, e.g., 8 %. Therefore, many QKD 
experimental researchers want to know a tighter upper bound of Eve's information for given 
sizes of the classical error correcting code and the random privacy amplification. 

In this paper, we derive an upper bound of Eve's information satisfying the following 
conditions, first time. 1) The upper bound depends only on the size of random privacy 
amplification. 2) By using this bound, the key generation rate 1 — 2/i(p) can be attained. In 
fact, Mayers' discussion [2] gives the upper bound in the finite-length case, but his discussion 
yields the rate 1 — h{2p) — h{p) not the rate 1 — 2h{p). The discussion by S. Watanabe et 
al. ^1 yields the rate 1 — h{p), but the bound depends on the error correction. Koashi's 
discussion 1^ satisfies the conditions 1) and 2), but his discussion does not clearly give the 
)ound in the finite-length case. Further, the protocol in his paper 3] and his older paper 
ItI i is slightly different from the simple combination of the classical error correction and the 
random privacy amplification. Our upper bound is also better than that by S. Watanabe et 
al [ul. 

Moreover, it is shown that our evaluation cannot be further improved in the sense of the 
exponential rate when the classical error correcting code satisfies a specific condition. In 
this case, the exponential rate of our upper bound of Eve's information can be attained by a 
collective attack, which is realized by individual operation to the channel and the collective 
operation to Eve's local memory, while our bound is valid even for the coherent attack, 
which includes any Eve's attacks allowed by the physical principle. That is, any coherent 
attack cannot improve the best collective attack in the sense of the exponential rate of Eve's 
information. Indeed, Renner et al. |9| proved that it is sufficient to show the security for 
collective attacks for the treatment of the asymptotic key generation rate since any channel 
can be approximated by a separable channel by using random permutation. This result 
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can be regarded as the extension of Renner's result to the exponential framework. Also, 
this implies that our evaluation gives the optimal (minimum) exponential rate of Eve's 
information. 

There is another type of asymptotic treatment else the exponential treatment. In statis- 
tics, when the variable obeys the independent and identical distribution, its distribution can 
be approximated by the normal distribution. We also succeeded in approximating our up- 
per bound by using the normal distribution. In this approximation, we treat the asymptotic 
behavior when the size of the random privacy amplification is given as the form 2"^(p><+^(px)) 
for the estimate px of the phase error rate while in the large deviation case (the exponential 
rate case) we treat it when the size is given as the form 2"^^P'^^^^P'^^^^\ where e and e are 
functions of px- 

Here, we should remark that our results cannot be obtained by the combination of existing 
results. The main technical point is the relation between Eve's information and the phase 
error probability, which is given in Lemma |2l Owing to this lemma. Eve's information can 
be bounded without any discussion of classical error correcting code for bit error. Further, 
in association with the error correction of phase error, we obtain an upper bound of the 
average error probability of a modified random coding when minimum Hamming distance 
decoding is applied (Lemma [TJ. Combining these new techniques, we obtain the upper 
bounds (Theorems and ^ through a long careful derivation. 

In the following, the organization of this paper is explained. First, we briefly explain 
classical error correcting code, and describe our protocol using this knowledge in section 
HH In section HhI we give an upper bound of Eve's information per one code and that 
of Eve's information per one bit. The random privacy amplification corresponds to the 
random coding concerning the phase error. Hence, we treat the average error of random 
coding in section IIVI Generalized Pauli channel is known as an important class of noisy 
channels. In quantum key distribution, the noisy channel does not necessarily belong to this 
class. However, if we use linear codes, we can treat any noisy channel as a generalized Pauli 
channel. We summarize notations and properties of generalized Pauli channel in section IVl 
In section IVTl we prove the main theorem by assuming a upper bound of Eve's information 
when Eve's attack is known. In section IVIH we derive a relation between the phase error 
and Eve's information. In section IVIIIl the bound used in section IVll is proved by using the 
properties of generalized Pauli channel, the bound of average error and the relation obtained 
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in section |Vnj 

Further, we give the asymptotic behavior in the two asymptotic frameworks in section ITTTl 
Asymptotic formulas for large deviation and limiting distribution are proved in Appendixes 
^and^ respectively. Based on this evaluation, we compare our large deviation bound with 
the bound by S. Watanabe, R. Matsumoto & Uyematsu Further, in section HXl we 

prove that the exponential rate of our bound of Eve's information can be attained by the 
collective attack under a specific condition. 



II. PROTOCOL 



In this section, we describe our protocol. Since our protocol employs the method of clas- 
sical error correcting code, we first explain classical error correcting code for the preparation 
of description of our protocol. 



A. Classical error correcting code 

When the noise in a binary signal F2 = {0, 1} is symmetry, the binary channel is described 
by a probability distribution {p, 1 — p}. In this case, when we send a binary string (in Fj), 
the noise can be described by a binary string N and is characterized by the distribution P on 
F2. Then, when the input signal is described by the random variable X, the output signal 
is described by the random variable X + N. Error correcting code is a method removing the 
difference N. In an error correcting code with n-bit, we prepare an m-dimensional linear 
subspace C of F2 , and the sender (Alice) and the receiver (Bob) agree that only elements of 
C is sent before the communication. This linear subspace is called a code or a [n, m] code. 
In this case, an encoding is given by a linear map G{C) from F^ to C. Of course, the map 
G{C) is given as an m x n matrix with 0, 1 entries. Hence, when Bob receives an element 
out of C, he can find that there exists a noise, and choose the most proper element among 
C based on the obtained binary string. Here, we can correct only one element among each 
equivalent class [X] G F2/C. More precisely, we choose the most likely noise r([X]) among 
each equivalent class [X]. This element is often called the representative, and the set of 
representatives is denoted by T. More generally, the decoding process is described by a map 
D -.F'^ ^ F^. 
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Hence, when Bob receives X + N,he decode it to X + N - r{[X + N]) ^ X + N - r{[N]). 
Thus, the decoding error is described by the behavior of the random variable A?" — r([A'"]), 
and does not depend on the input signal X. When the noise belongs to the set F, we can 
properly correct the error. The error probability is equal to 1 — P{T). 

Suppose that there exists an eavesdropper (Eve) obtaining some information concerning 
the original signal X. In this case, we prepare a linear subspace C of C and Alice sends the 
information as an element of C/C . That is, when he sends an information corresponding 
to [X\ e C/C , he chooses one element among [X\ with the equal probability, and sends it. 
This operation is called privacy amplification. 

B. Our protocol 

Using this method, wc can reduce Eve's information. However, it is not easy to evaluate 
how much information Eve has in this case. The purpose of this paper is evaluating Eve's 
information. In this case, the probability that Bob recovers the original information correctly 
is equal to P(r + C"), where T + C" := {^{[X]) + X'\X e F^, X' e C'}. In addition, when 
we choose each hnear subspace C of C with the equal probabihty and we regard C as 
and C/C as F^"™", the function from F™ to F™^™- is called the universal hashing function. 
This function is can be constructed as an (m — m) x m matrix by choosing the elements 
with the uniform distribution. 

Using this preparation, we briefly describe our protocol for quantum key distribution that 
can be realized by small complexity. After this description, we present it precisely. In our 
protocol, after quantum communication, Alice and Bob check their basis by using public 
channel, announce a part of obtained bits, and estimate the bit error rate p+ and phase error 
rate px- Here, we denote Alice's remaining bit string with the + basis and the x basis by 
Xj^ and Xx, respectively. Similarly, we denote Bob's remaining bit string by X+ and X^- 
These bit strings are called raw keys. Hence, the rates of 1 in the difference A^+ = X^ — X+ 
and the difference A^x — -'^x ~ -^x are almost equal to p+ and Px) respectively. 

Using the following process, Ahce and Bob remove their errors and share the bit string 
with almost no error. Alice generates another bit string X' and sends the bit string K := 
X' + X_|_ to Bob. Based on the information K, Bob obtains the information X" := K — Xj^ = 
X' + N+. Using this method, we can realize a classical channel with the input X' and the 
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output X" . The error rate of this channel is almost equal to p+. By applying classical error 
correction to this channel, Alice and Bob can share bit string with almost zero error. In this 
case, Alice generates an element X' e = C, and Bob recovers X'" — D{X"). Then, X'" 
coincides with X' in a high probability. Finally, Alice and Bob perform the above mentioned 
hashing function for their respective keys. That is, Alice generates the {m — I) x m matrix 
A with the rank m — I randomly, and send this matrix. Then, Alice and Bob obtain their 
final keys AX' and AX'". 

Therefore, the rate of final key to the raw key is equal to R — Roughly speaking, it 
is suitable to choose m as an integer a little smaller than (1 — h{p+))n, and rh as an integer a 
little larger than h{py.)n. Then, the generation rate R is almost equal to 1 — h{p^) — h{py). 

In the following, we describe our protocol more precisely. For this purpose, wc need some 
mathematical notations. The quantum system of each quantum signal is the two-dimensional 
Hilbert space 7^2, which is spanned by the {|a)}ogF2- We need to fix integers n+, Z+, m+, 
nx, a-nd mx that describe the size of our code. For a classical error correction, we choose 
an m+-dimensional classical code Ci,+ in F2''' (an m-dimensional linear space Ci,+ of Fg"*"), 
and an ?Tix "dimensional classical code Ci^x in ^2'^. We also fix the thresholds ^_|_, ^x' 
and /cx, and the allowable statistical fluctuation 5^ for each count k of error. 

(i) The sender, Alice, and the receiver. Bob, repeat steps (ii)-(iv) for each i. 

(ii) Alice chooses a random bit cij and a random bit bj. 

(iii) Bob chooses a random bit Cj. 

(iv) When hi = 0, Alice sends the quantum state |ai), otherwise, docs the state ^^jdO) + 

In the following, {|0), |1)} is called the + basis, and {^(|0) + ^(|0) - 
|1))} is called the x basis. 

(v) Alice and Bob announce bj and q and discard any results for hi 7^ Cj. They obtain 
n+ + bits sequence with bj = Cj = 0, and rix + Ix bits sequence with hi — Ci — 1. 

(vi) Alice randomly chooses check bits X_^^c,ij ■ ■ ■ 7^+,c,i+ among n+ + /+ bits with the 
+ basis and check bits Xx,c,i, • • • ,^x,c,i+ among Uy + 1^ bits with the + basis, 
announces the positions of these bits, and sends their information. They obtain the 
estimates p+ and px with the respective basis. That is, they count the number of error 
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bits k+ = \{i\X+^c,i 7^ ^+,c,i}\ and = |{«|^x,c,j ^x,c,i}\, where and X^^c,i 

are Bob's check bits. However, when k+ is greater than the threshold k+, they discard 
their remaining bits with the x basis. When kx is greater than the threshold k^, they 
discard their remaining bits with the + basis. Further, when k^ is less than the other 
threshold k_^, they replace k^ by k_^. When kx is less than the other threshold k^, 
they replace kx hy k^. 

In the following, we treat only the bit string of the + basis. We denote Alice's (Bob's) 
remaining n+-bit strings with the + basis by X+ After this process, they apply the 

same procedure to the remaining bit strings with the x basis. 

(vii) Alice generates Z+ G F™^ randomly, and sends Bob G(Ci,+)Z_)_ + X^. 

(viii) Bob obtains the signal G{Ci^+)Z+ + X+ — X+ e F2"'". Performing the decoding of the 
code Ci,+ F^+, he obtains Z+ e F^+. 

(ix) Alice chooses rh :— nxh{kx/lx + ) -dimensional subcode C2,+(y+, kx) C F^+ based 
on random variables such that any element x E F^+ belongs to 6*2,+ kx) 

.11 1 1 .1. o"+^'-''>^^^>^+^k^)_. 

with the probability 2"^+-! ■ 

(x) Alice obtains the secret information := [■^+]c2+(y+ kx) ^ •^2*^/^2,+ (^+, ^x)- 

(xi) Bob obtains the secret information Z. b '■ 



JC2,+(y+,fcx) 



For example, s-dimensional code C2(Y,s) in F^"*" is constructed based on k random 
variables Y := {Xi, • • • , Xg) in F™+ as C2{Y, s) := (Xi, • • • , Xg), where Y obeys the uniform 
distribution on the set {Y\Xi, - ■ ■ ,Xs are linearly independent.}. 



C. Extension of our protocol 

Indeed, in the realistic case, the bottleneck is often the estimation error of the error rate. 
Hence, in order to decrease the error of the estimation of the phase error rate px , we propose 
the following the modified protocol for any integer a. In the modified protocol, we repace 
steps (v) and (vi) by the following, and add the step (xii). 

(v) Alice and Bob announce bj and Cj and discard any results for bj 7^ c^. They obtain 
an+ + 1+ bits sequence with hi — Ci — 0, and aux+lx bits sequence with bj = Cj = 1. 
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(vi) Alice randomly chooses n+ bits among remaining an+ bits with + basis and obtain 
?T,+ bit string X+. She also sends the her positions to Bob. Bob obtains the n+ bit 
string They do the same procedure for the x basis. 

(xii) They repeat steps (vii) - (xi) a times. 

In the above protocol, the estimation of the phase error px has the same accuracy as that 
of the first protocol with alx check bits of the x basis. 



III. SECURITY 



In this section, we evaluate the security of our protocol. In the following, for simplicity, 
we abbreviate /x and n+ by / and n, respectively. 



A. Finite-length case 

The security of this protocol is evaluated by the mutual information /(^+, Ze) between 
Alice's final key and eavesdropper (Eve) 's information Ze- It is mathematically defined 

by 

I(Z+, Ze) := -Y^P^Ze) logP(Z^) 

Ze 

+ Y,P(Z+)Y.P{Ze\Z+) \ogP{ZE\Z^). 

Z+ Ze 

In order to evaluate this value, we have to treat the hypergeometric distribution 
(')( " ) 

Phg{k\n,l, j) := ^^j^^iy-. This is because the random sampling obeys the hypergeomet- 
ric distribution. It is known that its average is ^ and its variance is („''^"|"(^!|r;i\) ■ In this 
paper, we focus on the average of Eve's information 'E-p^s ^ ,ky, ,Y+\pos^,k+ ,Yx (^+5 ^e)] for each 
n, I, where pos_,_ and pos^ are the random variables indicating t 
of X basis and + basis, respectively. Some papers 



maicatmg tne p< 



le positions of the check bit 
guarantee the security 



by proving that for any ei > and €2 > there exist integers n and / such that 

P{I{Z+,Ze) >e2) <ei. (1) 

Indeed, when Epos^,fcx,y+|pos+,fc+,yx i^+j ^e)] < £1^2, Markov inequality guarantees the 
inequality (Q). Hence, we can recover the probabilistic behavior (Q) of Eve's information from 



the evaluation of the average of Eve's information. Therefore, in this paper, we concentrate 
the evaluation of the average of Eve's information. 

Theorem 1 When R is the rate of the code Ci and the threshold k is less than ^, we have 



^pos^,k^,Y+\pos+,k+,Yx [I{Z+,Ze)] < P{5,n,l,k,k), 



(2) 



where 



P{5,n,l,k,k) ■.^maxh(^Phg{k\n,l,j)f{j-k,k\n,l,Sk)+ ^ Phg{k\n,l,j)f{j - k,k\n,l,Sk)^ 

k=Q k=k+l 
k 

+ max^^Phg{k\n,l,j)f{j - k,k\n,l,Sk)n{R - h{k/l + 5k)) 
^ k=0 

k 

+ Ph9{k\n,l,j)f{j - k,k\n,l,dk)n{R- h{k/l + Sk)) 



k=k+l 



and 



h{x) :-- 
f{k',k\n,l,5) :-- 



h{x) X < 1/2 
1 x>l/2 

min{2"('^(^)-'^(t+'5)) ,1} ifk' < n/2 

1 ifk'>n/2. 



Further, Eve's information per one bit is evaluated as follows. 
Theorem 2 When R is the rate of the code Ci, we have 



E, 



posx ,A;x ,y+|pos_,.,fe+,yx 



<P{5,n,l,k,k), 



n{R-h{k^/l^+5k^)) 



where 
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P{6, n, I, k, k) 

:=max— - — , ^(X^ Phgik\n, l,j)f{j - k, k\n, I, 4) + Yl Phg{k\n,l,])f{j - k,k\n,l,5k)] 

3 n[K- + df.)) v^^^ ^^^^^ 

k k 

+ max^^Phg{k\n,l,j)f{j-k,k\n,l,Sk)+ ^ Phg{k\n,l,j)f{j - k,k\n,l,Sk) . 

fc=0 k=k+l 

The proofs of these theorems are divided into two parts: (i)The security of known channel 
(section VIII), (ii)The security of unknown channel, which is given by estimating the channel 
and employing the part (i) (section VI). For treatment of quantum channel, we prepare the 
notations of generalized Pauli channel in section V. For the discussion of the part (i), we 
derive a bound of average error concerning classical error correcting code in Section IV, and 
a bound of Eve's information using the phase error in Section VII. 



B. Approximation using normal distribution 

In the following, we calculate the above value approximately. For this purpose, we choose 
two probabilities p < p < |, and a continuous function p i-^ e(p). When k = pi, k = pi, 
= r, 5k = 4=7, as is shown in Appendix |X1 we obtain 

lim P{S,n,l,k,k) = max $ ( -^^^^2e(p) ) , (3) 

n^oo pe[p,p] \^ ^/p{l -p) J 

where the distribution function $ of the standard Gaussian distribution: 

^ ^ J-oo 27r 

Hence, in order to keep the security level e per one bit, it is suitable to choose 6k to be 



1 



Vf(i-f)^-i/ 



n+l I n I ' ^ ' \J nl \J I 

V n + l n-\ - 



$ ^{e) = -\ ^\ 7(1 - j)^~^{e) when P{5, n, l,k, k) can be approximated 



by the RHS of (jHl). That is, our upper bound is almost determined by —^==5k- 

Now, we consider the case when we use a low-density-parity-check (LDPC) code as the 
code Ci lis]. In this case, the case of i? = 0.5, and n = 10,000 is one realistic case. As 
an reahstic case, let us consider the case / = 1,000, p = 0.075, 6k^ = 0.01. Then, we 
have X 5k = —1.14. The security level $( /, 6k) = 0.126 is not sufficient. 
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However, it is not easy to increase the size n. Hence, we adopt the modified protocol. In 
this case, we replace only / by the following values. In the case of / = 20, 000, the security 
level is almost 0.001. 



/ 


1,0000 


10,000 


20,000 


30,000 


40,000 


50,000 


/ nl 


-1.14 


-2.68 


-3.10 


-3.29 


-4.00 


-3.47 


/ nl 


0.126 


0.00363 


0.000968 


0.000505 


0.000342 


0.000264 



C. Large deviation 

Next, we focus on the large deviation type evaluation. Choose a function p G [p,p] ^— > e{p) 
and define 

E{e,r,p,p) := rnin h{p + r{e{p) — e')) 

- (1 - r)h{p) - 2rh{p + e{p) - e') 
+ rh{p + e(p)) 

When k = pl, r = 5k = as is shown in Appendix IB| we obtain 



E{e,r,p,p) = lim — log P{5,n, I, k,k). 

— n^oo n 



Further, 



P{5, n, /, k, k) <k{n + / + l)n{R - h{p + 5p))2^^(^''^'P'^') 

+ /i(I(n + / + l)2^^(^'"'5'?^)). 

Hence, given a fixed real number it is suitable to choose e{p) satisfying that 

E = mm[h{p + r(e(p) — e')) — (1 — r)h(p) 
— 2rh{p + e{p) — e') + rh{p + e(p))] 



(4) 



(5) 
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for any probability p G [p,p]. Further, when e{p) is sufficiently small, using the relation 
d{p\\q) := plog I + (1 — p) log = j^E^i^^ we have the approximation. 

h{p + r(e(p) — e')) — (1 — r)h{j>) — rh{j) + (e(p) — e')) 
+ rh{p + e(p)) — rh{j) + (e(p) — e')) 
= (1 - r)d{p\\p + r(e(p) - e')) + rd{p + t{p)\\p + r(e(p) - e')) 
+ r{h{p + e(p)) - h{p + (e(p) - e'))) 

= " Pil-P) + ' ^ • 

In this approximation, when e{p) is small enough, the minimum is attained at e' = 0. Hence, 

min[/;,(p + r(e(p) — e')) — (1 — r)h{p) — rh{p + e{p) — e') 

+ rh{p + e{p)) — rh{p + e{p) — e')] 
=h{p + re(p)) — (1 — r)h{p) — r/;,(p + e(p)). (6) 

The maximum value of e{p) satisfying (jUj) corresponds to the critical rate in the classical 
channel coding theory. Therefore, when the number e{p) is sufficiently small for each p e 
\p,p], we obtain 

E = h{p + re{p)) — (1 — r)h{p) — rh{p + e(p)) (7) 

(log2)(p + re(p))(l - (p + re{p))) ' ^ ^^'^^^ 
Hence, in this case, in order to keep the exponential rate we choose e{p) as 

(ln2)Er(l - 2p) 



e{p) 



2(r(l -r) + (ln2)Er2) 

^(ln2)2EV2 + 4p(l -p)r(l -r)(ln2)E 



+ 



2(r(l -r) + (ln2)Er2) 

^^^3v/(hr2jEasE-.0. 
A/r(l - r) 



Here, we compare our bound with that by S. Watanabe, R. Matsumoto & Uyematsu 
111 ] . Since their protocol is different from our protocol, we compare our protocol with their 
protocol with the same size of code. This is because the size of the code almost corresponds 
to the cost of its realization. Then, their case corresponds to our case with p = p = p and 
/ = n. They derived the following upper bound (jH} of the security in their protocol when 
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the codes C2 C Ci satisfy the following conditions: The codes C1/C2 and C^/Cj*- have the 
decoding error probability e when the channel is the binary symmetric channel with the 
error probability p. 

Eposx,fcx|pos+,fc+ [I Ze)] 
<M2(^ + lfe + 4(n + l)V^") 

+ 4n(^ + l)2£ + 8n(n + l)2e-'^". (8) 

However, even if the error probability e is zero, our evaluation (jSJ is better than their 
evaluation (jH)). In particular, when e(p) is sufficiently small, we can use From Pinsker 
inequality: {ln2)d{p\\q) > {p — q)'^\l^, our exponential rate is evaluated as 
In 2 

(Hp + re(p)) — (1 — r)hip) — rhip + tip))) 

r 

In 2 

((1 - r)d{p\\p + re{p)) + rd{p + e{p) \\p + re{p))) 



2 <py 



r 

>(1 — r)e{p) 

z, 

which is greater than their rate even in the case of e' = 0. Further, our coefficient is 
smaller than their coefficient in this case as follows: 

k{n + l + l)n{R - h{p + Sp)) 
<pn{n + n + l)nR < 8n{n + 1)^, 
k{n + / + !)= pn{n + n + 1) < 4(n + 1)^ 

because p < 1/2. 

Hence, in order to obtain a tighter bound, it is better to use our formula 

IV. ERROR CORRECTING CODE 
A. Type method 

In this section, we treat classical error correcting code. For this purpose, we review the 
type method for binary strings. For any element x G F2, we define := \{i\xi = 1}| and 
:= {x E F2 I |x| = k}. Further, the number of elements is evaluated by 

1 ^^hfi. /,„\ . , ~i. , / n 



n+l 



2nh{k/n) ^ |j.fc| ^ Q < I Ufc/<fcT5| < 2"''('=/") (9) 
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for k < n/2. For any distribution P on F2 , we define distribution P on {0, . . . , n} and Pk 
on as 

n J 

otherwise. 




Hence, we have 



p(x) = 5;]p(^)p,(x). 



fe=0 



B. Bound for random coding 

In this paper, we focus on hnear codes, which are defined as hnear subspaces of F2. For 
the prcoperation of the following section, we consider the error probability when the noise 
of classical communication channel is given as a classical channel W (a stochastic transition 
matrix) on Fg. If a channel W is written by a distribution Pw on F2 as 

W{y\x) = Pw{y-x), 

it is called an additive channel. For an additive channel W, we define the following distri- 
bution: 

Pw{k) := Pvi/{a;||a;| = k}. 

In order to protect our message from the noise, we often restrict our message to be sent in a 
subset of Fg. This subset is called a code. When the noise is given by an additive channel, 
a linear subspace C of F" is suitable for our code because of the symmetry of the noise. 
Hence, in the following, we call a linear subspace C of F2 a code. 

Now, for a preoperation of the following section, we consider the error correcting code 
using a pair of codes Ci C €2- In order to send any information [2:2] 1 G C2/C1, we send 
X1 + X2 by choosing xi e Ci with the uniform distribution, where [x]i denotes the equivalent 
class divided by Cj. In this case, the decoder is described by the map D from F2 to itself. 
When the channel is given by W, the average error probabihty is 

PeMD) 
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However, we often describe our decoder by the coset representative r([a;]2) for each [x\2 G 
F2/C2. That is, when the decoder receives the element y, he decodes it to D^{y) :— 
[1/ — r([|/]2)]i. When the channel is given by a additive channel W, the error probability is 

where T := {r([a;]i)|[x]i e F^/Ca}, and T + Ci ^ {x + Xi\x er,xi e Ci}. For example, 
when we choose the minimum Hamming distance decoding Dc2/Ci'- 

Dc2/Ci iv) ■= argmin min \y - {xi + X2)\. 

[x2]i&C2/Ci ^leC'i 

By using the map r([x]2): 

r([a;]2) = X + argmin |a; + a;2|, 
X2EC2 

it can be written as 

Dc2/cM-[y-n[yh)]i- 

In the following, we denote the above F by Fcj ■ 

Now, we consider the average error when we choose the larger code C2 randomly. 

Lemma 1 Let Ci be a arbitrary [n,t] code (Ci C F2). We randomly choose the t + l- 
dimensional code C2{X) D Ci such that any element x e F2 \ Ci belongs to C2{X) with the 
probability ^^3^. Then, any additive channel W satisfies 

n 
fe=0 

where 



g{x\n, k) : = 




^2nHk/n)^^ ly k< [n/2\ 
k > [n/2j. 



Proof: Let be the set {x e F^||x| = k}. Then, P{x) = Y.l=oP{k)Pk{x). Hence, 

Pirc2ix) + Ci) = ELo P(k)p,(rc2ix) + c,). 

Indeed, if y e C F2 does not belong to Tc2{x) + Ci, there exists an element x e 
C2{X) \ Ci such that \y — x\ < k. Hence, the probability that at least one element belongs 
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to the set — ?/| < k} is less than 2"^(^/") ^2" -2** ^'^^ k < n/2 because — ?/| < k}\ = 

\{z\\z\ < k}\ < 2"^('^/"). (See ©.) Therefore, 

Ex[l -Pk{Tc,(x) + Ci)] 

nl+t nt nl+t 

^c2nh{k/n)_ ^ ^ 2^nh{k/n)_ 

- 2" - 2* ~ 2" 

for k < n/2, where the last inequality follows from I + t < n. This value is also bounded by 
1. Hence, 

n 

= Y,P{k)Ex[l-Pk{Tc,ix)+C,)] 

n 

<^P(A;)^(2'+*-"|n,A;). 

k=0 



V. GENERALIZED PAULI CHANNEL 

In this section, for the preparation of our proof, we give some notations concerning 
generalized Pauli channels. In order to describe it, for any two elements x = (xi, . . . , Xn),y = 
(jji, . . . , Un) G F2 , we use the product: 



y ■= ^XiVi 



X 

i=l 



Thus, the space Hf"^ = (C^)®" is spanned by the {\x)}xeF"- Now, we define the unitary 



matrices and for x, z G as: 



X^|x') = \x' -x) 
Z'\x') = {-lf-'\x'). 



From the definition, we have the relation 

(X^Z")(X^'Z"') = (-i)^-"'-^'-"(x^'z"')(x^z^ 
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When the channel A has the form: 

A(p)= J2 PA{x,z){X^Znp{X''Z^)\ 

it is called a generalized Pauli channel. Indeed, a gen eralized Pauli channel is a quantum 
analogue of an additive channel. In fact, it is known 2l|,|2^ that the channel A is generalized 
Pauli if and only if 

A(p) = (X"Z")U((X"Z")p(X"Z")t)(X"Z"), Vx,zeF^. (10) 

For any channel A, we often focus on its twirling At defined as 



A^'^(p) := (X^Z")tA((X^Z")p(X^Z")t)(X^Z"). 



From (jlOj) . the twirling At is always a generalized Pauli channel. 

In the treatment of generalized Pauli channels, the distribution Pj>^{x,z) is important. 
Hence, we introduce some notations for this distribution. We define the distributions P^^xi^) 
and Pa,z{z) as 

Pa,x{x) := E Pa{x,z), Pk,z{z) := ^ Pa{x,z). 
These are called marginal distributions. We also define the conditional distribution as 

^'^'^|-^^^> ■= p^y 

Next, we treat a generalized Pauli channel A on the tensor product system (C^)®"^ (8'(C^)®"'^. 
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In this case, we use the following notation. 



-PA,i(a;i, zi) 



Pa,2{x2,Z2) 



^2, Z1Z2) 




PA,Z,l,2i^l, k2) 



J2 P^AT'nl X 



(11) 



Pa,1\Z,2{Xi,Zi\z2) 



Y.X2eF2^ Pa,1\Z,2{XiX2, Z1Z2) 



Pa,Z,2{^2) 



Pa,Z,1\Z,2{zi\z2) 



^ Pa,1\Z,2{Xi,Zi\z2). 



Note that -Pa,z,i,2 is different from Pa,z- These notations will be used in the following 



VI. PROOF OF MAIN THEOREM 
A. Modified protocol 

In this section, we prove Theorem Q by treating the security of the following protocol. In 
the following protocol, we fix the generalized Pauli channel A from ra-qubits system to itself. 

(i) Alice generates Z+ G F™ randomly, and sends Bob G{Ci)Zj^ G F2 with the + basis 
through the n-qubits generalized Pauli channel A. 

(ii) Bob measures the received n qubits with the + basis. Performing the decoding of the 
code Ci ^ F^, he obtains Z+ G F^. 

(iii) They do the processes (ix) - (xi) of the previous protocol. In this case, we assume 
that the dimension of the code Ci (the subcode 6*2,+ (1+)) is t (s). 

This protocol is the special case that the channel is known. 



sections. 



19 



For any channel A from the system Ti. to itself, the state on the environment system can 
be described by using its Stinespring representation {He, U, \0)e G He)'- 

A{p) = Trn^ Up0\O)E e{0\U*. 

That is, the state on the environment system is characterized by another channel Ae{p) '■= 
Trn-Up^\0)E e{0\U\ 

In this above protocol, the distribution of Eve's signal Ze is described by a POVM Mz^ 
on He as P{Ze\Z) = Tt Mzj^Ae{pz)- Therefore, in order to evaluate the classical mutual 
information I{Z, Ze) it is sufficient to evaluate the quantum mutual information (Holevo 
information) 

/(W£C,/c.(y),pJf'"''(W)) 
E TVpJf'<->(|.i) 

Heci/C2(y) 

.(iogpji-"<'-'(n)-iog,j:f'«), (12) 

where pJi''""''(W) := E,,«Mn Asik + =2) + ^d) and pjf'"'' := 
Qp^^[z\&Ci/C2{Y) Piv,E^'^'^^\[A)- ■'■^ following, we often abbreviate (fT^ as Ih{Z,Ze)- 

Theorem 3 We can evaluate Eve 's information as follows. 

Ey^ [I{[Z] G Ci/C2(n,.),pJ/^^(^HM))^ 
n 

<r/^_,(5^PA,z(%(2->,A;)), 

fc=0 

where m = dim Ci and rjk is defined as 

rik{x) := h{x) + kx. 
This theorem will be proved in Section IVllll 

B. Proof of Theorem ^ 

Now, we back to our main protocol. First, we fix the random variables pos_,_, /C4., Yx- 
Then, it is sufficient to treat the quantum system of the + qubits. In the following. 
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we characterize the system of raw keys by the subscript k, and the other system of check 
qubits C'"" by the subscript c. 

Hence, we denote the quantum channel of this system by A. Note that A is not necessarily 
generalized Pauli. In the following, we abbreviate , pos^ , /cx , ^+ by /, pos, k, Y, respectively. 

In this case, the variable pos takes a subset of / elements {ii, . . . C {1, . . . , n + /}, 
where ii < ... < ii. Then, we define the unitary matrix f/pos as 



Un+h 



where {ji, ■ ■ ■ , jn] = {h, ■ ■ ■ ,kY and ji < ■■■ < jn- Every subset is choosed with the 

probability ,„\i-. . We also define the channel A^"*^ for any channel A as 

I I ) 

AP-(p) := t/t,,(A(t/po,pf/t„J)f/p,,. 



Then, we can show that 



(AP°^)i = (Ai)P°^ 



Hence, any generalized Pauli channel A satisfies 



(13) 



E 



pos 



(fcfc, kc 



--PA,z{kk + kc)Phg{kc\n, I, kk + kc 



(14) 



where we used the notation given in (fTT|) . 

Now, we consider the case where Alice and Bob choose the variable pos and obtain the 
difference between their check bit with the x basis. When k < \zc\ < k, the average of 
Eve's final information is evaluated as 



E 



Y+ 



I{[z] G C,/C,iY^, nhC-f + 5|,,|)), p^/^ilUN)) 
<h{^P(At)p°-,zMzA^\^c)f{k, \zc\ \n,l,6k) 

k=0 

+ n{R-h{\zc\/l + 6k)) 

n 

■ ^ P(At)p°^z,k\zAk\^c) f{k, \zc\ \n, I, 5k). 



(15) 



k=0 
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When \zr\ < k, we obtain 



l{[z] e C,/C,{Y^, nhq + %)), p5/)2,ri( W)) 

-^(X^ h^t)p°'',zMzAk\zc) fik, k\n, I, j 

k=0 

+ n{R-h{k/l + 6k)) 

n 

■ PiAt)p°-,z,k\zAk\^c)f{k, k\n, I, Sk)- 

k=0 



(16) 



Of course, when \zc\ > k, the average of Eve's final information is equal to zero because 
any information is discarded in this case. The inequalities and (fTHIl will be shown in 
Appendix O by using Theorem El 

Finally, we take the expectation concerning Zc and pos: 



EposE.Ey^ [/([Z] GC'i/C'2(r+,n/.(ke|// + 5|..|)),pg/)SrUN)) 
k k 

<7i(max Phg{kc\n,l,j)f{j - k,k\n,l,6k) + ^ Phg{kc\n,l,j)f{j - k^, kc\n,l,6k. 



kc=0 
k 



kc=k+l 



+ max|^^ Phg{kc\nJJ)n{R - h{k/l + Sk))f{j -k,k\nj,5k) 

k 

+ Phg{kc\n,l,j)n{R-h{kc/l + SkJ)f{j-kc,kc\n,l,6k+c) 



(17) 



kc=k+l 

This inequality will be proved in Appendix O Hence, we obtain Theorem ^ Similarly, we 
have 

Ci/C2{Y) 



<- 



EposE^^Ey^ 

1 



I{[z] e C,/C,{Y^,nh{\z,\/l + 6\^^\)),p^i;;^^^^^^^^^ 
n{R-h{k^/l^ +5k^)) 



/zfmaxj^y^ Phg{kc\nJJ)f{kk,k\nJ,6k) + ^ Phg{kc\nJJ)f{kk,kc\nJ,6k 



n{R-h{k/l^+6^)) V i 



fcc=0 



kc=k+l 



+ maxj^ P/jg(A;c|n,/,j)/(A;fc,^|n,/,5fc) + ^ Phg{kc\n,l,j)f{kk,kc\n,l,6k+c) , (18) 

fcc=0 kc=k+l 

This inequality will be proved in Appendix |D| Hence, we obtain Theorem |21 
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VII. SECURITY AND PHASE ERROR 



In this section, we treat the relation between Eve's information and the phase error. This 
relation is one of essential parts for Theorem |21 The purpose of this section is proving the 
following lemmas 

Lemma 2 Let A be a generalized Pauli channel on the system (C^)®". Then, we have 

I{x G ¥^^,Ke{\x){x\)) < r7„(l - Pa,z(0)). (19) 

Since 1 — -Pa.z(O) can be regarded as the phase error, this lemma gives a relation between 
the phase error and Eve's information. 

Proof: The Stinespring representation of A is given as ((C^)*^^", U, |0)): 



</)):= ^ Pp,{x,z)\x,z) 
U := J2 ^'"Z'" ®\x,z){x,z\. 



Since 



U\x')®\^)= J2 V^A(a;,^)(-l)"'-1a;'-x) ® \x, z) 



= XI - ^) ® \<Px,x') ® \J Pk^x{x)\x) , 
Eve's state can be written as 

Ke{\x){x\) = PA,x(a;)|0x,x')(0x,x'| ® \x){:> 

where := ^^eFj ^/Pa,z\x{z\x){—IY''^\z). Since x' obeys the uniform distribution, 

I{xeFlAE{\x){x\)) 

= P!^A^)H{Pkz\x{-\x)) < H{P^A. 
Hence, using Lemma El we obtain (|T9|l . 
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Lemma 3 Let P = {Pit)} be a distribution on {0, ...,d-l}. Then, H{P) < /i(l-P(0)) + 
log((i-l)(l-P(0)). 

Proof: 

H{P) = - P(0) logP(O) - (1 - P(0)) log(l - P(0)) 
<h{l - P(0)) + \og{d - 1)(1 - P(0)). 



VIII. SECURITY OF KNOWN CHANNEL 

In this section, we treat the security when the channel is known, i.e., prove Theorem El 
using Lemmas 121 and n To prove it, for any code C C F2 and any elements [z] G F2/C"'" 
and [x] G F2/C, we define 

\x,z)c := -4^ V(-ir> + x'). (20) 



V l"-^! x'ec 

Note that this definition does not depend on the choice of the coset representative elements 
z (x) of [z] {[x]). When we choose as C, the above is the discrete Fourier transform. 
Then, we have the following lemma. 

Lemma 4 When two codes Ci and C2 satisfy C2 C Ci, any elements x G Fg, [zi] G C2 /C^, 
and [Z2] G Fg/C^ satisfy 

\x,Zi + Z2)ci 
1 



J2 i-lY^^^^^y^^\x + X,,Z2)c,. (21) 

Note that the RHS does not depend of the choice of the coset representative elements Xi of 
[x,]. 
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Proof: 

1 



Vl^l/^2| [,^]6Ci/C2 



1 



5Z /T7 



[xi]eCi/C2 

Since (zi + Z2) ■ {xi + X2) = {zi + Z2) ■ xi + Z2 ■ X2, we obtain (j2T|l . 
Lemma 5 

^ \x + xi){x + xi\ = ^ |x, zi)ci Ci(a;, 

Proof: From the definition of \x,zi)ci, we liave 

^ \x,zi)c^ cAx,zi\ 



E EE 



a; 



\Ci\ 

= |x + x') (x + x'l, 
because y E Ci satisfies 



+ x' + x" - x') (x + x'l 

^ E E E(-i)"''i^+^'+^)<^+^'i 



1 V- . X \ I iiy = 



Now, we define tlie minimum error: 

P{[z^]eC^/C^,A{\0,z^ + Z2)c, (0, + ^2!)) 
:= mini 1- 

M 



Tr M[,,]A(|0, z^ + Z2)c, (0, ^1 + ^2!)) ' 
^ , |C2^/Ci^l 

[2i]6C2^/Ci^ 12/11 
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where M is a POVM {M[zi]}[zi]£C^ /c^ ■ Then, we have the following evaluation. 
Lemma 6 

I{[xi]eCi/C2,AE{T^ Y] |Xi +X2)(Xi +X2I)) 

1 

[Z2]&F1^/C^ 

■PizieC^/C^,A{\0,z^ + Z2)c, (0,^1 + ^2!)), (23) 
where m = dim Ci and s = dim C2 ■ 

Proof: Using Lemma El and the convexity of mutual information, we have 

/([Xi] G Cl/C2,As(^ V |Xi +X2)(Xi +X2I)) 

=I{[xi] e Ci/C2,Ae{ttti Y] 1^1^^2)02 C2{Xi,Z2\)) 



■2/^2 



^T^\ E ^([^1] ^ Ci/C2,Ae(|xi,Z2)c2 C2{X1,Z2\)). (24) 

Applying Lemma El we have 

I{xi e C1/C2, {Ae{\xi, Z2)c2 02(3^1,2:21)) 

<r]m-sP{zieCi/Ci,A{\0,Zi + Z2)c, Ci(0,Zi + 22|)). 

From ()24j) . the concavity of ?7m-s implies 

I{[xi]eCi/C2,AE{T^ V] |xi +X2)(X1 + X2I)) 

-T^ Yl Vm-sPiz^ e C^/C^,A{\0,zi + Z2)c, cA^.z^ + Z2\)) 

<^rn-sT^^ J2 PiZieC^/C^,A{\0,Zi + Z2)c, cA^, Z^ + Z2\)) . 

■ 

Since A is a generalized Pauh channel, any coset [xq] G F2/C1 satisfies A(|a;o,-2i + 
Z2)c\ cAxo,zi + Z2\)) =X-»A{\0,zi + Z2)c^ cA0,zi + Z2\)){X-°y. Hence, 

P{[zi]eC^/C^,A{\0,zi + Z2)c, cA0,z, + Z2\)) 
=Pi[zi] e C^/C^, A{\xo, Zi + Z2)c^ c^{xo,zi + Z2\)). 
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Thus, 



P(Z1 G C2^/C^ A(|0,^i + Z2)c, Ci(0,Zl + Z2\)) 

_\Ci\ 

[x'o]GF5/Ci 

P(2;i e C2-^/Ci^, A(|xo,^i + Z2)ci Ci{xq,zi + 2;2|)) 
2" 



]GF5/Ci 

-p{z,eC^/Ci, 

^(^^ 5Z 1^0 + ^1 + ^2)fj F5(2:o + ^1 + 22|)j- 



(25) 



Now, we focus on the step (ix) and the subcode G{Ci)C2{Y, s) C Ci, and abbreviate 
G{Ci)C2{Y,s) to C2(F,s). Then, the dual code ^2(^,5)^ satisfies C ^2(^,5)^ and 
the condition of C2{X) in Lemma ^ when t, / and Ci in Lemma ^ is given hy n — v, v — s, 
and Cf*", respectively. Then, n — (/ + t) in Lemma ^ is given by s. Since the generalized 
Pauli channel can be regarded as the additive channel, we can apply Lemma Q Hence, 

1 



E- 



Y 



\C-,(Y,s) 



E 



N]6Fyc2(y,s)J 



p[z,eC2{Y,s)^/Ci 



A, 



\Ci\ 



\zq + ^1 + 2;2)f5 F5(2:o + ^1 + 2:21 



<J2PwAk)9{2~'\n,k). 

k=0 



(26) 
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From (pUj) . and (^Hj). the convexity of r]m-s yields that 



E 



Y 



1 

1^ 



<r]m-s Ey 



/([xi] e C1/C2, Ae(|xi,Z2)c2 C2(a;i72;2|)) 

1 



lz2]€F^/Ci- 

P{zi e C2^/C^ A(|0,^i + Z2)ci Ci(0,;2i + ^2!) 

Ln/2J 



fc=0 



Therefore, from ()24|1 . we obtain Theorem El 



IX. OPTIMAL ATTACK 



In this section, we prove that there exists a collective attack attaining the the exponential 
rate (jH) under a condition. Indeed, it is not so easy to evaluate maxJ(Z, Z^;). Hence, we 
treat Ih{Z, Ze) instead of J(Z, Ze)- 



Lemma 7 Assume that the sequence of codes Ci^n,k+ satisfies 

k<{p+e{p))n 

where the channel Wk^n is defined on F2 as PwknU) ~ ^kj- Then, we have 



(27) 



— r 

lim — log E 

n 



max Ih{Z, Ze) 



< min h{p + re{p)) — (1 — r)h{p) — rh{p + e{p)), 

P&[p,p] 



(28) 



where the maximum is taken concerning Eve's operation S. Note that, the above inequality 
holds for any fixed variable . 

Hence, if e(p) is sufficiently small and the sequence of codes Ci,„ satisfies the condition (j2Z|), 
we have 

— r 



lim — logEpos^,fcx,y+|pos+,fc+,yx [max///(Z, Ze 



n 



-h{p + re{p)) — (1 — r)h{p) — rh{p + e(p)). 



(29) 
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This indicates that the method of randomly choosing code C2 is optimal in the sense of large 
deviation. 

In this lemma, we assume the condition (j27|) . Indeed, we need some conditions in Lemma 
[7| For example, consider the code Ci that consists of the elements x whose the first n — m 
components is zero. In this case, the following proof is not valid. Indeed, when the limit 
lim^^oo ^log|Ci,„| is greater than h(j) + e{p)) and we choose randomly, the condition 
fl27|) holds. Hence, the condition is not so unnatural. However, a more natural condition 
is needed. 

As is shown later, the exponential rate minpg[p^p] h{p + re{p)) — (1 — r)h{p) — rh{p + e{p)) 
can be attained by a collective attack, in which Eve's is allowed only individual unitary 
operations to quantum states sent by Alice and any global generalized measurement on the 
Eve's local states. Hence, the exponential rate of Eve's information cannot be improved by 
any collective attack, in which Eve's is allowed to use any unitary operation to all quantum 
states sent by Alice. 

Now, we construct Eve's strategy attaining the bound minpgjp.p] h{p+re{p)) — {l—r)h{p) — 
rh{p+e{p)) and prove (j2Hl)- Choose po := argmiUpgjp^^] h{p+re{p)) — {l—r)h{p)—rh{p+e{p)). 
Eve performs a unitary action Upf^+reipo) 



Up\x) ® \0)e ■■= Vp\x) ® 10)^, + (-ir'v/r^lx) ® ll)^; 



for a every qubit, where \x)e is Eve's state. 
We define the unitary {7^: 



f/^"|x)® |0)e: 




yeFl^:\x\=k 



{-ir'\x)^\y)E. 



We can easily show that 
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Hence, applying Lemma El to the case of Ci = Fg, C2 = Ci_„, we have 



xeFJ a;eCi,„ 
<hiPe,W,JCtn)) + log |Ci,„|Pe,H/,.„(C^l^J, 



where 



Now, we evaluate Eve's information. In this case, the subcode C2,n,fcx depends on the 
outcome k^- Taking the pinching map: p 1— > 'Yl,k^ri,kpPn,k {Pn,k is the projection to the 
space spanned by {|x)}|2;|=a;), we have 



>H E 



E E \^ + y){^ + y\ 



where A; is the random variable with distribution P(/i;) := {2){po+re{po))^{l—po — re{po))"' ^. 
When k = n{pQ + e(po) + e), = P05 we have 



/^(^e,H..,„(C^^J) - log |Ci,„|P,,H^,,„(Ci^J - log \C2,nM 



log - n/i(-^ + e(-^)) - /i(Pe,w'.,„(Ci^J) - log \C,APe,wUCtn) 
>h{po + e{po) + e) - h{po + e{po)) as n ^ 00. 
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Hence, Eve's information can be bounded as 



r2(po + e(Po) + e)/ 
/ 

^ n{h{po + ejpo) + e) - hjpo + e(po))) + o(n) ^^^^p^^^^p^^^^Hp^^^^^p^^^.^^^p^H^^^^^^p^)^ 
(n + l)2 



(po + re(po))'^°(l - Po - re(po))'^'"^°H^(/i(po + e(po) + e) - /i(po + e(po))) + o(n)) 



Thus, we obtain 



lim — logEfc^|pos^,y+,pos+,A:+,yx [max/// {Z+,Ze)] 



—r 

n 

<h{po + re(po)) - (1 - r)h{po) - rh{po + e(po) + e)- 



Taking the hmit e ^ 0, we obtain ()28j] . 
X. CONCLUSION 

In this paper, we obtained a practical evaluation of security of quantum key distribution. 
This bound improves existing bounds. In order to guarantee the security of implemented 
QKD system, we need a tighter bound in the finite-coding length. Hence, our bound is useful 
for guaranteeing the security of quantum key distribution with perfect single photon source. 
However, for a precise evaluation, we have to treat hypergeometric distributions, because 
our bound contains hypergeometric distributions. Hence, it is needed to calculate these 
bounds by numerical analysis based on several calculations of hypergeometric distributions. 

We also derived the exponential rate of our bound as (j3)), and proved its optimality with 
in the sense of Holevo information with a class of one-way communication when Cp is less 
than the critical case. However, our condition for our code is not sufficiently natural. Hence, 
it is required to prove this optimality under a more natural condition. One candidate of a 
more natural condition is 

- r,"^^^ Pe,W,JC^,n)-0- (30) 

k<h-^{l-h{p+e{p)))n 

Hence, it is a future problem to show the optimality under the above condition. 
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Further, we assumed that perfect single photon source. One idea for the weak coherent 



case is the decoy method 



devices {2^. However, any existing paper 



23| , which is based on the observation of the security with imperfect 



25 



26 



27| of the decoy method does not discuss 



the degree of Eve's information in the framework of finite coding-length, precisely. Hence, 
it is required to extend our result to the weak coherent case with the decoy method. 
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APPENDIX A: DERIVATION OF © 

Now, we prove Q. In the following, we denote n + / by m and fix p G [p,p]. We treat 
the case of j = pm, and define the number kp{m) := max{A:|/i( ^"^~^ ) — h{j + 5k) > 0}. In 
this case, the first term of P{6,n,l, k, k) goes to 0. Hence, we focus on the second term of 
P{6,n,l, k, k), which is divided as 

P2{6,nJ,k, k) 

k 
k=0 

k 

+ 5Z Phgik\n,l,j)f{j - k,k\nj,6k^) 

k=k+l 

kp{m) 

= 5Z Phgik\n,l,j) 

k=0 

k 

+ 5Z Phg{k\nJ,3)f{j - k,k\n,l,6kj. 

fe=fcp(m)+l 

Since /^( P'^-^pM ) = /^(M^ + 4), we have kp{m) = pi - ^6k. Using the relation 4 = ^ 
and the continuity of Cp, we have kp{m) = (1 — r)pm — r(l — r)i{p)y/m + o{^/m). The 
average of k is ^ = (1 — r)pm and the variance of k is J+n'^ti+i-i) ~ • Hence, 
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fcp(m) (1 r)pm _^ "^l^^p^ Thus, wc have 



/ r(l-r)p(l~p)m ^p(l-p) 



^ P.,(A;|n,/,j) = $ ->==e» 1 • 



fc=0 



When k > kp{m), we can approximate the difference as 

n I In 



Hence, 



^ Phg{k\n,l,j)f{j~k,k\n,l,5k^ 

k=kp (m)+l 
1 



k r{l — r)p{l—p)m 

^ T 



'A;p(m) 

-y'p{l-p) 

■ a/ r(l — r)p(l — p)mdy 
—>0 as m — >• (X), 

I X— (1— r)pm 

where y = / 

a/ r)p(l— p)m 

Next, we consider the case when ^ is strictly smaller than p. The value —h{^^)+h{ =+5k) 
is strictly positive and —h{^^) + h{j + 6k) is smaller than this value if k > k. Hence, 
P2{S, n, l,k, k) goes to 0. 

Finally, we consider the case when ^ is strictly greater than p. In this case, as is mentioned 
in the probability that k is greater than k exponentially goes to 0. Hence, in this case 
P{6,n,l, k, k) goes to 0. Therefore, we obtain Q. 
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APPENDIX B: DERIVATION OF (gD 



From 0, we have 



Hence, 



2ZMf)+nM^)-(n+/)/.(^) < p,^(A;|n,/,j) 



(n + l)(Z + l) 

(fc) ij-k) 



rr) 



max ^ /, - ^,^1?^, I, 4x 

fc=0 

+ X] Phgik\nJ,j)f{j - k,k\n,l,5k 



k=k+l 

<k{n + 1 + 1) 

. 2max,.fc/h(f)+nh(i^)-(n+Z)h{;i^)-n[/i(f+4)-/i(i^)]+_ 



Further, 



max ^ P/i3(fc|n, /, - ^fc,:^!^, ^, (^fc 



fc=0 



+ 5Z Ph9{k\n,l,j)f{j-k,k\nJ,SkJ 



k=k+l 



.n{R-h{j + SkJ) 
<n{R - h{p + e{p)))k{n + / + 1) 



Thus, substituting p = |, r = e(p) = 4, e' = f - 4 



we obtain (jSj). Since 



— r 

— max 



I n 



)-in + l)hi-L-) 



n + l' 



n[h{\ + 5,)-h{^—^)Y 
I n 



<E{e,r,p,p), 



(Bl) 



we obtain the part < in (jlj. 
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Conversely, 

k 

max Phg{k\n, l,j)f{j - k, k\n, I, 4 J 

A;=0 

k 

+ XI Phg{k\n,l,j)f{j - k,k\n,l,6k^) 

k=k+l 

2max,,fe/h(f)+nM^)-(n+0'^(^j^)-n[M|+5fe)-/»{^)] + 

- (n + l)(/ + l) ■ 

Since the equality in (jBljl holds in the limit n — >^ cxd, we obtain the part > in (jH). 

APPENDIX C: PROOF OF (USD AND (tT^ 

When Alice sends the classical information a; + X+ (x = G(Ci)Z), the probability that 
Bob obtains the local signal := x + — is 

5Z 5Z I<)f5 ^^^{z'^\)\x'^ + X - Xk){x'^ + X - Xk\®\z'^ - z)^^^ f^«-^I) 

<eF5 4eF?, 

^)f5 f^'(4 - ^1) 

Xb){-Xb\ ® I - z)y^ ¥^i{-z\) 
Tr ^ Ex-^eF!, AP°«(pinix,n ® |0)f^' F5(0|)/ ® | - z)y^^ F5(-^|) 
_Tr^E.v»gF^-+'(An^""'^"^(l ^ |0)f^ f^(0|)| - ® | - ;^)Fg f^(-^|) 

~ Tr52(^Ex",."6F^+KAP°^)(""'""HPmix,n® |0)f^ F5(0|)/® 

_ Tr(Af)P°^(| - x){-x\ ® |0)Fg Fg(0|)| - Xk){-Xb\ ® \ - z)^^. Fg(-^| 
Tr(At)p-(p^i,,„® |0)f^ p„(0|)/® I -z)Fn f5(-^|) 

= Tr(Air^'^(|-x)(-x|)|-x,)(-x,|, 
where 

In the derivation of ()C1|) . we use (fT^. 



Tr ^ E<eF^ AP°^(Pmix,n ® |<)f5 F5«|)/ ® |< - 
Tr E^^.F^ E4.n(A^°^)^^''='°'°^^ni - ® |0)f5 f^(0|)| - 



(CI) 
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In this case, we can regard that Bob measures the state (Af)P°'''^(| — x){—x\). Hence, 
Eve's state can be regarded as {{At)^°^'^)E{\ — Hence, applying Theorem El we 

obtain (fTH|l and (fTT)|l . 
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APPENDIX D: PROOF OF dHD AND (|TH|) 



First, we evaluate EposE^^Ey, 



I{[z] G Ci/C2(n,nMkc|// + 5|..|)),p5/)SIi(N)) 



as 



E„nsE 



pOS-^Zc 



n 



|2c|<fc 



kk=0 



+ ^ -P(Ai)p°^z,c(^c)/?-( P{At)P°^z{h\Zc)f{kk, \Zc\ \n,l,S\^) 

k<\zc\<k fefe=0 



^pos[ ^ P{At)p°-,z,c{^c)n{R - h{k/l + 6k)) ^ P(At)pos^z{h\zc)f{h,k\n,l,6k 

\zc\<k fcfc=0 



+ X] P{At)p°-,z,c{^c)niR - h{\zc\/l + 5\z,\)) ^ P{At)p°-,zih\zc)fih, \n, I, 

k<\zc\<k ki,=0 

(Dl) 

n 

P{At)P°-,Z,c{^c) ^ -P(At)P°=,^(^fckc)/(^fc,^|^, ^,%) 

|2:c|<fc fcfe=0 
n 

k<\zc\<k fcfc=0 



+ Epos ^ P{At)p°^z,ci^c)n{R - h{k/l + 6k)) P{At)p°^zih\zc)fikk,k\nJ,6k 



\zc\<k 



kk=0 



+ 5Z ^(At)p°=,z,c(2:c)'^(^ - /i(kc|/^ + 5|2c|)) P{At)p°-,z{kk\zc)f{kk, \zc\ \n, I, 4) 

fc<|2c|<fc 



(D2) 



HE EE 

fcj.=0 fec=0 

n fc 

n k 

+ EEE: 

A;j.=0 A:c=0 

n k 

+ E E E 



P{At)p°^z,k,c{kk, kc)f{kk, k\n, I, 4) 

P{At)p°^z,k,c{kk, kc)f{kk, kc\n, /, 4J 
P{At)p°-,z,k,cikk, kc)n{R - h{k/l + Sk))f{kk, k\n, I, 6k) 

P(At)p°^z,k,cikk, K)n{R - h{kjl + 6kJ)fikk, kc\n, I, 6k+c) 



(D3) 



k^=0 kc=k+l 
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Further, RHS of (ID3I) is evaluated as 



(RHS of mm ) 

n k 

^ P{\t),z{kk + kc)Phg{K\n,l,kk + K)f{kk,k\n,l,6k) 

fcfe=0 kc=0 

n k 

+ ^ ^ P{At),z{kk + kc)Phg{kc\n, I, kk + kc)f{kk, kc\n, I, 4jj 

fcj,=0 kc=k+l 
n k 

+ ^ ^ P(At),zikk + kc)Phgikc\n, I, kk + kc)n{R - h{k/l + 5k))f{kk, k\n, I, 6k) 

n k 

+ ^ ^ PiAt),z{kk + kc)Phg{kc\n, I, kk + kc)n{R - h{kjl + 5kJ)f{kk, kc\n, I, 5k+c) 

kk=0 kc=k+l 

(D4) 

k k 

<7ifmax[^y^ Phg{kc\n,l,j)f{kk,k\n,l,6k) + ^ Phg{kc\n,l,j)f{kk,kc\n,l,6k, 



fcc=0 



fcc = fc+l 



+ max Phg{kc\n, I, j)n{R - h{k/l + Sk))f{kk, k\n, I, 4) 

fcc=0 

k 

+ X] Phg{kc\n,l,j)n{R - h{kc/l + 6kJ)f{kk,kc\n,l,6k 



kc=k+l 



(D5) 



In the above relations, ()D1|) follows from (fT^ and (fTBj) . and ()D2|) follows from the con- 
vexity of h, ()D4j) follows from (|TH) . ()D5j) follows by replacing fc^ + /cc by j. Hence, we obtain 
(HU- 



BS 



Similarly, we have 

m e c'i/c'2(n,nMkei//+5|..i)),pg/)2,rUN)) 



<- 



EposEz^Ey^ 
1 



n(i?-/i(A;/Zx +%)) 



n{R-h{k^/l^+6kJ) 

n 



\zc\<k 



kk=0 



+ ^ P{At)P°-,Z,c{Zc)h{ y^^ P{At)P°-,z{h\Zc)fikk, 
k<\zc\<k kk=0 



\Zc\ |n,/,(5|z^|) 

+ Epos|^^ P{At)p°^zA^c) P(At)p°-,zikk\zc)fikk, k\n, I, 5k) 



\zc\<k 



kk=0 
n 



+ X] -P(At)P°^^.c(^c) -P(Ai)P°^z(fcfckc)/(fcfc, \Zc\ 1^, /,^|zc|) 



<- 



n(i?-/i(A;//x +%)) V J 



/i(max ^ Phg{kc\n, l,j)f{kk, k\n, I, 6k) + ^ Phg{kc\n, l,j)f{kk, kc\n, I, 6k 



kc=0 



kc=k+l 



+ max ^ Phg{kc\n, l,j)f{kk, k\n, I, 6k) + Phg{kc\n, l,j)f{kk, kc\n, I, 6k+c) 



fec=0 



kc=k+l 



Hence, we obtain (fT^ . 
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